Re: [MLS] multiple devices per user?

Richard Barnes <> Mon, 26 March 2018 21:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9C800126CF6 for <>; Mon, 26 Mar 2018 14:45:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9w1yhfsW7QS7 for <>; Mon, 26 Mar 2018 14:45:54 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF1DD126CB6 for <>; Mon, 26 Mar 2018 14:45:53 -0700 (PDT)
Received: by with SMTP id r82so18185184wme.0 for <>; Mon, 26 Mar 2018 14:45:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SvwTezzgf/gmTQNGSS8iEoUPuDxIGbIBThqmgarIrgU=; b=fG9Nxj1MAoAnrhFwbPb2KLr+T9NVOnnY+lLrACqUrkWT+u2PJRd/5aEe2+fwCidXzU 8x2WNgAMFb2J0CvsTANNWTJ8Rl81djjg1syIMBWCj8MvU+j4CT1kMe6bEmukoBXg58+/ e4ALCCMto3JeolpZJg9fAnUg68FB1lxnz4/TqBVv+Q3++3CHvraoEPq5SupSM3tM8GGe 5ZH54z7U/CEC5TNBdbIXzngL0lNK+sIRgw3ZvV/XLFNFoxyqy2yTQoAwMlVyAygNzYwe hZw0bJcraJyYtGk2DwKxkR/cYWt8I/rpJomEZjvdwCZ9x3JNWcqf5I+qlsNkiJlHvX+v 0Ybg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SvwTezzgf/gmTQNGSS8iEoUPuDxIGbIBThqmgarIrgU=; b=GySfr1a6lJcBxrFvJ4NoRQoXpoQV3n5xHcPDVuRkguj09Ey0czUIPWo1j7HXo4SPCO MdktWt3rNIGKehHJJiB1/ZV0qjD0/o4iMtIcz88lbqbAyW+583PhX38+ihyBL65ZjS5E 06enRpDS8HzbbyYWQAP5zkMINTR8D+g53qLETA2p0uTSBBZYgi/FE502vdf9cMEJdC/o LKeDqMyCRXkotTcJOE4LlvsyLLMDxKil+H1pPbEodfDZePWpiJlIhvVDSjbFrmP2N3Ir uePeEJxlLCQT7yc9jOkOvFD0hHzYkDzNRVOswG9XKcMzg1UNKpzhMCqeXWju3pT9Lnmy pqlA==
X-Gm-Message-State: AElRT7Gph8Y+gGlFvibuZb/+hJtIer41J6XNVOqvQDO7Bv41fMNKlOZM GpvHaRtltP7cX/vNifSTqKB0L7Y2PQBS+ox/UVXYuA==
X-Google-Smtp-Source: AG47ELu+73GC+oGIYQKKDYG1Ex+VawcQPAJgLbUsSQetkNV2xplVIrBu9D/SJR7d4CcXtLF1fgFrqMcj5DAY63GJmcY=
X-Received: by with SMTP id 143mr17866970wmg.61.1522100752133; Mon, 26 Mar 2018 14:45:52 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 26 Mar 2018 14:45:51 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Richard Barnes <>
Date: Mon, 26 Mar 2018 22:45:51 +0100
Message-ID: <>
To: Rich Persaud <>
Cc: Eric Rescorla <>,, Daniel Kahn Gillmor <>
Content-Type: multipart/alternative; boundary="001a11442348a4c531056857b260"
Archived-At: <>
Subject: Re: [MLS] multiple devices per user?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Mar 2018 21:45:56 -0000

Hey all,

Sorry, I was in meetings over the weekend and missed the fun :)  Let me try
to sum up.

tl;dr:  It's an application decision. The protocol should be oriented
around per-device keys, but we should also document the privacy concerns
and some approaches to mitigating them.

I agree with DKG that we should not hard-code a one-key-per-device
assumption into the protocol.  But at the same time, I don't want this
group to have to assume the complexity of a protocol to sync keys across
devices in addition to what it's already got.  And has been pointed out,
there are some valid reason to want individual device keys to be exposed in
the protocol, e.g., key comparison and device revocation.

Fortunately, we don't have to make a choice here.  Because the protocol
doesn't know whether a leaf key is an actual leaf or the root of a subtree,
there's a clean interface point where applications can make a decision.
You could even imagine different clients in one group making different

So I would suggest we do the following:
- No change to the protocol document
- In the architecture document:
  - Lay out the privacy risk that can arise from using per-device keys
  - Present the two approaches discussed in this thread for how to do key
sync (explicit sync and sub-trees)

That way, the WG's document set will provide guidance to implementors about
the risks and how to mitigate, without diving into the complexity of a full


On Mon, Mar 26, 2018 at 10:16 AM, Rich Persaud <> wrote:

> On Mar 24, 2018, at 18:42, Eric Rescorla <> wrote:
> On Sat, Mar 24, 2018 at 10:32 PM, Daniel Kahn Gillmor <
>> wrote:
>> Furthermore, it's not clear what a group conversation participant can
>> *do*, security-wise, in the event of recieving such a message from
>> another participant -- is this actually a new phone, or is it a wiretap
>> injection?  should i ask the user about it?  should i take action?  what
>> ction?
> In Wire, if Alice has marked each of Bob's device fingerprints as
> "verified", then the addition of a new device by Bob results in an
> immediate message to Alice.  The recommended action is to verify the new
> fingerprint out of band, then Alice can mark Bob's new device as
> "verified".
> Generally, I wouldn't expect them to take any action at all. It's a user's
> responsibility to ensure that the right number of devices are registered
> to their account, just as its common for the number of Web browsers
> one has attached to ones Gmail account.
> Here is a scenario on iOS:
> (1) User is logged into Facebook via Chrome.  User is not logged into
> Facebook in Safari, to avoid Facebook tracking on non-Facebook websites
> visited in Safari.
> (2) User receives FB email notification in Apple email.  If user clicks on
> a link in the email, it opens in Safari and Facebook *automatically logs
> the user in without a password*.
> (3) User then receives FB email notification that they have added a new
> device.
> (4) User must now manually log out of Facebook, then click on a tiny close
> button on account icon to delete the cookie associated with that user, to
> avoid Facebook tracking on non-Facebook websites.  That removes (?) the
> browser as a known device.
> Each of the individual UX decisions above could make sense in some
> contexts, but when combined on iOS where the user cannot choose the browser
> in which email links are opened, it leads to an undesirable UX where the
> user must invest repeated effort to ensure that the right number of devices
> are registered to their account.
> Rich
> _______________________________________________
> MLS mailing list